Pretexting, what is it? | Social engineering

Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try stealing their victims’ personal information. These attacks commonly take the form of a scammer pretending to need certain information from their target in order to confirm their identity.

HOW IS IT DONE?

Pretexters can impersonate co-workers, police officers, bankers, tax authorities, clergy, insurance investigators, etc. Simply put: anyone who can be perceived as having authority or a right-to-know by the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. Sometimes, an authoritative voice, an earnest tone, and an ability to think on one’s feet are all that is needed to create a pretextual scenario.

Pretexting attacks are commonly used to gain both sensitive and non-sensitive information. Back in October, for instance, a group of scammers posed as representatives from modeling agencies and escort services. They invented fake background stories and interview questions to make women and teenage girls, send them nude pictures of themselves. Later, they sold those pictures to pornographic businesses for large amounts of money.

One of the most important aspects of social engineering is trust. If you cannot build trust you will most likely fail. A solid pretext is an essential part of building trust. If your alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. Similar to inserting the proper key in a lock, the right pretext provides the proper cues to those around you and can disarm their suspicions or doubts and open up the doors, so to speak.

DEFEND YOURSELF AGAINST PRETEXTING!

Like any other defense to social engineering, you must be proactive and not reactive.

Pretexting – Liars Don’t Actually Get Longer Noses !

If you receive an e-mail from someone saying that a maintenance worker will be swinging by, contact the sender’s company, not the sender. Give them a ring and verify that they are sending someone. If you are home when they arrive, ask to speak to their supervisor, don’t take their word for it. Ask for the company’s corporate number and their supervisor’s name, so that you can call from your own personal phone. It may seem rude, but if they are a social engineer, your best defense is to punch holes in their story.

The same applies to websites advertising events and expos. Call the event center and ask about the event; go straight to the source. Beware of any website that only accepts cash or PayPal.

In any event, your best measure of protection is to hit the source of the pretext. If the social engineer is using pretexting, their weakest point is the fact that their source doesn’t exist, it’s all fabricated.